ci: pin docker images by ID for hermeticity #32602
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, the docker images used on CI where specified by a tag (`10.16` and `10.16-browsers`). Since tags are not immutable, this only pins specific characteristics of the environment (e.g. the OS type and the Node.js version), but not others. Especially when using a tag that does not specify the patch version (e.g. `10.16` instead of `10.16.0`), it is inevitable that the image will change at some point, potentially leading to unrelated failures due to changes in the environment. One source of such failures can be the Chrome version used in tests. Since we install a specific ChromeDriver version (that is only compatible with specific Chrome version ranges), unexpectedly updating to a newer Chrome version may break the tests if the new version falls outside the range of supported version for our pinned ChromeDriver. Using a tag that specifies the patch version (e.g. `10.16.0`) or even the OS version (e.g. `10.16.0-buster`) is safer (i.e. has a lower probability of introducing the kind of breakages described above), but is still not fully hermetic. This commit prevents such breakages by pinning the docker images by ID. Image IDs are based on the image's digest (SHA256) and are thus immutable, ensuring that all CI jobs will be running on the exact same image. See [here][1] for more info on pre-built CircleCI docker images and more specifically [pinning images by ID][2]. [1]: https://circleci.com/docs/2.0/circleci-images [2]: https://circleci.com/docs/2.0/circleci-images#using-a-docker-image-id-to-pin-an-image-to-a-fixed-version
gkalpak
force-pushed
the
ci-pin-docker-image
branch
from
7d64411
to
d7dc448
Compare
gkalpak
added
area: build & ci
devversion
approved these changes
Sep 11, 2019
14 tasks
josephperrott
approved these changes
Sep 11, 2019
matsko
pushed a commit
that referenced
this pull request
Sep 11, 2019
Previously, the docker images used on CI where specified by a tag (`10.16` and `10.16-browsers`). Since tags are not immutable, this only pins specific characteristics of the environment (e.g. the OS type and the Node.js version), but not others. Especially when using a tag that does not specify the patch version (e.g. `10.16` instead of `10.16.0`), it is inevitable that the image will change at some point, potentially leading to unrelated failures due to changes in the environment. One source of such failures can be the Chrome version used in tests. Since we install a specific ChromeDriver version (that is only compatible with specific Chrome version ranges), unexpectedly updating to a newer Chrome version may break the tests if the new version falls outside the range of supported version for our pinned ChromeDriver. Using a tag that specifies the patch version (e.g. `10.16.0`) or even the OS version (e.g. `10.16.0-buster`) is safer (i.e. has a lower probability of introducing the kind of breakages described above), but is still not fully hermetic. This commit prevents such breakages by pinning the docker images by ID. Image IDs are based on the image's digest (SHA256) and are thus immutable, ensuring that all CI jobs will be running on the exact same image. See [here][1] for more info on pre-built CircleCI docker images and more specifically [pinning images by ID][2]. [1]: https://circleci.com/docs/2.0/circleci-images [2]: https://circleci.com/docs/2.0/circleci-images#using-a-docker-image-id-to-pin-an-image-to-a-fixed-version PR Close #32602
arnehoek
pushed a commit
to arnehoek/angular
that referenced
this pull request
Sep 26, 2019
Previously, the docker images used on CI where specified by a tag (`10.16` and `10.16-browsers`). Since tags are not immutable, this only pins specific characteristics of the environment (e.g. the OS type and the Node.js version), but not others. Especially when using a tag that does not specify the patch version (e.g. `10.16` instead of `10.16.0`), it is inevitable that the image will change at some point, potentially leading to unrelated failures due to changes in the environment. One source of such failures can be the Chrome version used in tests. Since we install a specific ChromeDriver version (that is only compatible with specific Chrome version ranges), unexpectedly updating to a newer Chrome version may break the tests if the new version falls outside the range of supported version for our pinned ChromeDriver. Using a tag that specifies the patch version (e.g. `10.16.0`) or even the OS version (e.g. `10.16.0-buster`) is safer (i.e. has a lower probability of introducing the kind of breakages described above), but is still not fully hermetic. This commit prevents such breakages by pinning the docker images by ID. Image IDs are based on the image's digest (SHA256) and are thus immutable, ensuring that all CI jobs will be running on the exact same image. See [here][1] for more info on pre-built CircleCI docker images and more specifically [pinning images by ID][2]. [1]: https://circleci.com/docs/2.0/circleci-images [2]: https://circleci.com/docs/2.0/circleci-images#using-a-docker-image-id-to-pin-an-image-to-a-fixed-version PR Close angular#32602
|
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, the docker images used on CI where specified by a tag (
10.16and10.16-browsers). Since tags are not immutable, this only pins specific characteristics of the environment (e.g. the OS type and the Node.js version), but not others. Especially when using a tag that does not specify the patch version (e.g.10.16instead of10.16.0), it is inevitable that the image will change at some point, potentially leading to unrelated failures due to changes in the environment.One source of such failures can be the Chrome version used in tests. Since we install a specific ChromeDriver version (that is only compatible with specific Chrome version ranges), unexpectedly updating to a newer Chrome version may break the tests if the new version falls outside the range of supported version for our pinned ChromeDriver.
Using a tag that specifies the patch version (e.g.
10.16.0) or even the OS version (e.g.10.16.0-buster) is safer (i.e. has a lower probability of introducing the kind of breakages described above), but is still not fully hermetic.This commit prevents such breakages by pinning the docker images by ID. Image IDs are based on the image's digest (SHA256) and are thus immutable, ensuring that all CI jobs will be running on the exact same image.
See here for more info on pre-built CircleCI docker images and more specifically pinning images by ID.